Tag Archives: Security

Ohio Section Journal – The Technical Coordinator – June 2024 edition

One of the responsibilities of the Technical Coordinator in the Ohio Section is to submit something for the Section Journal. The Section Journal covers Amateur Radio related things happening in and around the ARRL Ohio Section. It is published by the Section Manager Tom – WB8LCD and articles are submitted by cabinet members.

Once my article is published in the Journal, I will also make it available on my site with a link to the published edition.

You can receive the Journal and other Ohio Section news by joining the mailing list Tom has setup. You do not need to be a member of the ARRL, Ohio Section, or even a ham to join the mailing list. Please sign up!

If you are an ARRL member and reside in the Ohio Section, update your mailing preferences to receive Ohio Section news in your inbox. Those residing outside the Ohio section will need to use the mailing list link above.  Updating your ARRL profile will deliver news from the section where you reside (if the leadership chooses to use this method).

  • Go to www.arrl.org and click the Login button.
  • Login
  • When logged in successfully, it will say “Hello <Name>” in place of the Login button where <Name> is your name.  Click your Name.  This will take you to the “My Account” page.
  • On the left hand side, under the “Communication” heading (second from the bottom), click Opt In/Out
  • To the right of the “Opt In/Out” heading, click Edit
  • Check the box next to “Division and Section News.”  If it is already checked, you are already receiving the Ohio Section Journal.
  • Click Save
  • There should now be a green check mark next to “Division and Section News.”  You’re all set!

Now without further ado…


Read the full edition at:

THE TECHNICAL COORDINATOR
Jeff Kopcak – TC
k8jtk@arrl.net

Hey gang,

As Technical Coordinator for the Ohio Section, I oversee the section’s Technical Specialists. We are here to promote technical advances and the experimentation side of the hobby by encouraging amateurs in the section to share their technical achievements in QST, at club meetings, in club newsletters, and at hamfests and conventions. We are available to assist program committees in finding or providing suitable programs for local club meetings, ARRL hamfests, and conventions within the section. When called upon, serve as advisors for RFI issues and work with ARRL officials and other appointees providing technical advice.

Technical Specialists are a cadre of qualified and competent individuals here for the “advancement of the radio art,” a profound obligation incurred under the rules of the FCC. TS’s support myself and the section in two main areas of responsibility: Radio Frequency Interference (RFI) and technical information. They can specialize in one or more areas or be generalists with knowledge in many areas. Responsibilities range from serving as consultants or advisors to local hams or speaking at local club meetings on popular topics. In the Ohio Section, there are 12 qualified specialists.

RFI and EMI (electromagnetic interference) includes harmful interference that seriously degrades, obstructs, or repeatedly interrupts a radio communication service such as ham radio or public service agencies. RFI sources range from bad power insulators, industrial control systems, nearby or poorly made transmitters, household appliances, personal devices like computers, monitors, printers, game consoles – to grow lights, failing or poorly made transformers, and devices hams brag about getting cheap from China. Technical Specialists can offer advice to help track down interference or locate bozo stations when called upon. Technical information is wide-ranging, everything from antennas to Zumspots.

How can we help? The knowledge and abilities of YOUR Technical Specialists are really quite impressive:

  • Amplifiers
  • Antennas (fixed, portable, emergency operation)
  • Antenna systems such as towers, guying, coax/feedlines, and baluns
  • Boat anchors (tube technology)
  • Computer systems – Windows, Linux, Raspberry Pi
  • Digital voice and data modes – including D-STAR, DMR, Fusion, NXDN, P25, APRS, IGates, packet, TNCs, MT63, FT8/4, Olivia, PSK, etc.
  • Direction finding
  • Electronics and circuits, including teachers whom have taught electronics classes
  • Former repair technicians
  • Home brew
  • Internet linking (Voice over IP, aka VoIP) – Echolink, AllStar/HamVoIP, DVSwitch, PBX/Asterisk
  • Mobile installations – HF, VHF/UHF, antennas
  • Narrow Band Emergency Messaging System (NBEMS) – Fldigi and Flmsg
  • Networking – AMPRNet, routers, port forwarding, ISPs, firewalls, mesh, microwave
  • Power supplies
  • Propagation
  • Repeaters, controllers, and high-profile systems
  • RFI caused by power lines and consumer appliances
  • RF safety
  • SHARES stations (SHAred RESources – Department of Homeland Security HF radio program)
  • Software Defined Radios (SDR)
  • Tower safety
  • Professional certifications such as Motorola Certified Technicians, Master Electrician, Certified Journeyman Electronics Technician, General Radiotelephone Operator License (GROL), ETA certifications, Society of Broadcast Engineers (SBE) certifications and affiliations, and Marine Radio Operator permit holders.

This impressive list of qualifications are available resources to all in the Ohio Section. Looking for guidance in one of these areas? Need a program for your club meeting? How about a technical talk or forum at a hamfest? Assistance or direction on a project? My contact info is near my picture and on the arrl-ohio.org website. I’ll assist getting you in touch with an appropriate Technical Specialist.

Hamvetion Recap

Original 1964 Collins Communication Van at Hamvention

Another Hamvention has come and gone. This was emotional because this was the first since my dad passed, N8ETP. Hamvention was something we did together. He didn’t go last year because (we didn’t know it at the time) he was suffering from post-operation complications. He was looking out from above because I had no shortage of company on this trip. I checked into the hotel, then went to dinner. Immediately met a father and son on their first trip to Hamvention. We talked about the show, past shows, what to expect, and some pro tips. Ironically, the dad was released from the hospital a week prior after recovering from an infection. If they’re reading, I apologize I don’t remember your calls – send me a message and I’ll add them later.

Figuring the rain would keep attendees away Friday morning, traffic was worse than anticipated. Busses were stuck in with those trying to get into on-site parking, causing delays and lines at the high school. It took over an hour from the high school until I got into the fairgrounds. Broke out the poncho for the first time in a number of years.

After being admitted, checked in with the ARRL Ohio Section/Great Lakes Division table to say howdy to our leadership and swap stories. Shortly after leaving the booth, ran into George – W5JDX and Mike – VE3MIC from AmateurLogic.TV and spent the rest of the day hanging out with those guys. Due to rain, George didn’t do any recording until after we grabbed some lunch. Hilarity insured behind the camera as well as in front.

I left about 4pm to get ready for dinner. At dinner, I ran into George again. We were chatting and before we knew it, realized it was 8pm. We had intended on going to the D-STAR evening gathering but didn’t make it since we were having a big time.

Saturday, ran into Mike – this time in the flea market – and we walked a good portion of it in the morning. Mike and cousin Jerry were going to head back home around noon. I walked the rest of the flea market because that was something dad liked to do too. Before leaving, talked with some inside vendors I wanted to speak to.

Inside the Collins Communication Van

Shopping list was sparse this year. Only thing I was really looking out for was a place that built ham shacks/outdoor buildings. The camper converted into my existing hamshack really needs to be replaced. I didn’t see any builders there. Rest of the shopping list was “nice to haves” – radio with a TNC for APRS or Winlink. Maybe other APRS gear. Couple Motorola pieces of equipment I’ve been looking for. Been wanting to get a D-STAR radio with the latest features. I took advantage of a show special at DX Engineering and picked up an ICOM ID-52, mainly because the restrictions (by ICOM) were lifted on the show specials.

A ham in the area, whom I’ve gotten to know, was looking to unload some of his gear. I picked up a used ICOM IC-746Pro and Micro Keyer. Fortunately, I was able to try out the radio before I bought it. Doing some research online found out the most common problems with the 746 are the display backlight goes flaky, eventually crapps out, and a dead transmitter. Both were non-issues.

This ham did say the tuning knob might be loose. It didn’t seem much different than my IC-7000. Upon using it at home, there might be an issue with the knob because it does repeat the same frequency numbers over and over again on occasion. I’ll look into tightening or cleaning the knob/encoder to see if that resolves it. It’s not a big deal because most of my operation is digital and I use remote control through a CI-V cable.

Otherwise, it’s been working fine on Winlink. There are a couple differences I like in my 7000 over the 746. Main one being it keeps switching back to USB from D-USB for digital operation. Functionally, it’s working as expected.

A stop at Micro Center in Columbus on the trip back home is required for some post-Hamvention spending. The Columbus location is a bigger store than my closest location on the east side of Cleveland (Mayfield Heights), which means they have more stuff out on display. I needed some larger capacity USB Flash Drives and they had a Lenovo ThinkPad on sale. I’d been having trouble with my existing laptop failing to charge the battery. I found out the Columbus store is a larger location because it is the flagship store for Micro Center as their headquarters are about 15 minutes away. That store will have items not (yet) available at other locations as a test to see if an item sells out.

The same general themes kept popping up before the show and at the show from other attendees: ‘this maybe [my] last one’ and ‘show specials can be found online.’ With the economy in the crapper and inflation in its current state, it’s getting even more expensive to attend Hamvention. $500 and up for a single room in the area for the weekend. With other local events, such as grade school sporting tournaments and antique flea markets, hotel rates are higher due to demand. There were a couple issues at my hotel too. While the staff tried to make it right offering bonus points, the issues still shouldn’t have happened when you’re paying that much for a room. An inconvenience for what was supposed to be an otherwise enjoyable time.

Hamvention show specials, for the most part, can be found online too. Not all distributors bring a lot of gear (inventory) to sell – except for maybe the most popular radios and models. Heil Sound is one vendor most people I know reference because we were involved with Ham Nation. Back at Hara Arena, they had an entire side of Audio Alley with equipment and inventory for sale. Heil Sound had a 6-foot table this year showcasing headset and some microphone offerings. They, like many others, are relying on distributors for show specials and handling of inventory – which goes back to the show specials are also found online. MFJ wasn’t there because they ceased production as the show was getting underway. I heard in the flea market: ‘sellers are looking for top dollar and buyers are looking for the cheapest deals.’ Things weren’t flying out of the flea market either.

Despite that, according to the Hamvention website, this year’s event was record-setting attendance at 35,877. I will always be of the belief “if you’ve never been to Hamvention, you need to go at least once in your life.” It’s more of a social and nightlife gathering, with vendors putting new gear ‘under glass’ at the show.

ARRL Network Incident

Not to bury the lead but I figure I would touch on the announcement posted on the ARRL website regarding the “serious incident involving access to our network and headquarters-based systems.” This incident was big enough news to make an online Cybersecurity trade publication, SecurityWeek. I don’t know anything more than the information made available in the league’s post but I suspect the last paragraph in the SecurityWeek article is the reason.

From the Information Security side, in this day and age, where everyone wants things to be convenient – conveniently accessible resources, conveniently ways to order things online, convenient ways to make membership changes, convenient apps to use – it’s not a matter of “if” something will be compromised, but “when” will something be compromised. The “when” for the ARRL happened to be right before Hamvention.

As noted in the ARRL post, people are asking if personal information is compromised – they haven’t said “yes” but it seems very likely. How an organization comes out looking in these trying times comes down to how they handle their responses – how they improve security posture, how they communicate the extent of the breach to its members, reporting to regulators/investigators, services offered to those concerned about their personal information, how they clean up and recover, making sure it doesn’t happen again, etc. If true, the “ARRL does not store credit card information anywhere on our systems, and we do not collect social security numbers” which helps with regulators and government but leaves privacy minded individuals who do not wish for personal details, albeit “publicly available,” to fall into the wrong hands.

Yes, this absolutely should not have happened. In a perfect world, it wouldn’t have happened. We don’t live in a perfect world and not everyone is perfect despite how some present themselves.

From my own experience, working with vendors and Managed Service Providers (MSPs), it takes a lot of extra work to make sure what they are telling you is correct and make sure what they do is correct. ARRL does use Microsoft services and they’ve had their share of scathing reports of inadequate security practices recently. I work with a lot of different Information Technology (IT) teams. The number of analysts (and management) that know very technical details about systems they are responsible – is remarkably low. When an analyst doesn’t know their system, doesn’t know how modifications affect that system, how would they know if a modification opens their organization to attack? Maybe an employee was thinking they were doing their job but clicked a password stealing link or downloaded a fake invoice containing a malicious payload (malware that performs malicious activity). The latter is often due to a lack of proper training in security practices for general employees. Again, these are only my experiences and observations working in IT.

The ARRL posting has been updated several times as recovery progresses and systems come back online. This disrupted most ARRL IT systems including phone systems, Logbook of the World (LoTW), VEC application processing, some magazine resources, store orders and shipping. LoTW data is “secure” presumably meaning no uploaded contact logs have been lost. The arrl.net forwarding system was not affected but I’ve been moving off it due to messages being bounced previously.

Thanks for reading and 73… de Jeff – K8JTK

Ohio Section Journal – The Technical Coordinator – October 2022 edition

One of the responsibilities of the Technical Coordinator in the Ohio Section is to submit something for the Section Journal. The Section Journal covers Amateur Radio related things happening in and around the ARRL Ohio Section. It is published by the Section Manager Tom – WB8LCD and articles are submitted by cabinet members.

Once my article is published in the Journal, I will also make it available on my site with a link to the published edition.

You can receive the Journal and other Ohio Section news by joining the mailing list Tom has setup. You do not need to be a member of the ARRL, Ohio Section, or even a ham to join the mailing list. Please sign up!

If you are an ARRL member and reside in the Ohio Section, update your mailing preferences to receive Ohio Section news in your inbox. Those residing outside the Ohio section will need to use the mailing list link above.  Updating your ARRL profile will deliver news from the section where you reside (if the leadership chooses to use this method).

  • Go to www.arrl.org and click the Login button.
  • Login
  • When logged in successfully, it will say “Hello <Name>” in place of the Login button where <Name> is your name.  Click your Name.  This will take you to the “My Account” page.
  • On the left hand side, under the “Communication” heading (second from the bottom), click Opt In/Out
  • To the right of the “Opt In/Out” heading, click Edit
  • Check the box next to “Division and Section News.”  If it is already checked, you are already receiving the Ohio Section Journal.
  • Click Save
  • There should now be a green check mark next to “Division and Section News.”  You’re all set!

Now without further ado…


Read the full edition at:

THE TECHNICAL COORDINATOR
Jeff Kopcak – TC
k8jtk@arrl.net

Hey gang,

Two years ago, I wrote an article for the OSJ dealing with “cyber hygiene” – practices and precautions users take to keep their data safe and secure from outside attacks. I didn’t rehash it last October since most of the article was still relevant. For this year’s “Cyber Security Month,” it’s time for an update. I still encourage everyone to re-read that article in the October 2020 OSJ or on my website as 95% of it is still best-practice for normal people.

The browser is still one of the most utilized pieces of software in modern computing and one of the most attacked. Users hanging on to Internet Explorer are finding it harder and harder to visit modern sites as new encryption standards are recognized and made industry standard. Using an End of Life browser, users are seeing a lot of “This page can’t be displayed” because it doesn’t support current methods of protecting communication.

Brave browser (brave.com)

Chrome, Firefox, Microsoft Edge, and Opera remain good choices. Brave browser is a good alternative if you don’t want to use a native Google browser. It’s based on the Chromium project for those who want a privacy-focused browser. Before jumping to Brave, some things to be aware of before you have a jarring first impression. There are ads – mostly for cryptocurrency. Why recommend an ad supported browser for crypto-what? Unlike Chrome, which makes money on user’s data, Brave pays the bills with safe ads (opposed to malicious ones that would infect your computer). They can be turned off. If ads in a browser are not your cup of tea, there are plenty of other browser options but note Brave took top spot for privacy in terms of phoning home:

Used "out of the box" with its default settings Brave is by far the most private of the browsers studied. We did not find any use of identifiers allowing tracking of IP address over time, and no sharing of the details of web pages visited with backend servers (Leith).

Pi-Hole and 3rd party DNS services, such as Quad 9, are good options for blocking ads, tracking, annoyances, and malicious content at the network level. To go a step further and block unwanted social media, games, messaging apps, dating sites, or streaming services or entire categories of sites, freemium services like NextDNS and AdGuard offer additional blocking options. Advanced features including newly registered domain blocking, typo-squatting domain blocking (domains registered by squatters taking advantage of type-o’s made when users are inputting a site’s URL), parked domains, and entire top-level domain blocking go above Pi-Hole and other free services.

Free tier gives you a limited number of DNS queries. With devices that freak out when they can’t phone home or heck, the cloud providers used by my workplace, you’ll blow through the free tier quickly. With a yearly plan, the price is around $1.75/month. OpenDNS has a completely free tier with basic blocking. Their blocking of services and categories is also a premium option.

Note devices with hard coded or manually entered DNS for other services (such as the popular Google DNS 8.8.8.8) will bypass these protections. A router/firewall with the ability to intercept and re-direct traffic (also called internal port-forward or inside NAT) will stop requests from reaching other DNS services and redirect them to the service of choice.

KeePassXC interface (keepassxc.org)

LastPass, in 2021, decided to make their free tier limited to a device of a single type. Mobile or desktop, not both. To sync between both, a premium account was needed. Granted $3/month isn’t a huge amount (you can give up one coffee), users opted for a service called Bitwarden. It is an open-source password manager offering unlimited devices for free and a family account for $3.33/month with unlimited sharing. An option that appeals to me is the self-hosted option where you are in-control of your data.

KeePass remains a strong choice for managing password databases, especially offline. I recently moved to a fork called KeePassXC. Its lineage came from KeePass in that KeePassX was a fork of KeePass, KeePassXC is a fork of KeePassX. It too is free, open source, and databases are compatible between KeePass and XC if you want to try or use both. I like KeePassXC better due to its cross-platform support and TOTP/2FA integration.

Beyond my 2020 article, I would like to address the issue of administering devices remotely. In particular, devices we leave at remote sites or have in “the cloud.” Whether that is an AllStar node, EchoLink/SVX, Wires-X, router, controller, mesh node, or digital mode reflector. Though I’m writing this in the context of ham radio devices, this applies to anything – including devices on home networks. I hate the idea of devices, which provide services to a very small group, being available to anyone on the Internet. It’s dumb, terrible security practice, hygiene, and there are better options.

‘Well, my device is password protected!’ Most don’t change the default password on their device. Ones that do many have purchased from a dud company that ignores vulnerabilities for 3 years that, in theory, would allow anyone access to their camera, Wyze.

For clarification, I’m not taking the ports needed for normal user access to the AllStar/Wires-X/EchoLink/reflector/whatever. I’m specifically talking about the ports needed for administrative access. Ones such as SSH and remote desktop. Admins that figured out OpenVPN or WireGuard tunnels or ones that only have local access to admin services, you’re good.

With common admin services open to the Internet, check the logs. Internet miscreants are trying common username and password combinations. Not to mention probes not seen in logs like fingerprinting to figure out which outdated version is running and looking up exploits against that version. Once they get in, they will configure that device to be a cryptocurrency miner (making money for the bad guy), another device in their bot army used for attacking other victims, figuring what other devices they can get into, not to mention backdoors allowing them access at any time. When this happens, that device can no longer be trusted.

Fail2Ban is a popular option that only slows down attackers, doesn’t provide distributed brute-force attack protection, and is not available on Windows. Doesn’t solve the issue of unnecessarily exposing admin services to the Internet. Changing ports is not secure, often called security through obscurity – which is not security. A quick scan of the IP address will reveal the new port. SSH keys with PasswordAuthentication set to “no” is about as good of protection as you can get when wide-open access is needed.

ZeroTier and Talescale are an easy-to-use middle ground between the options of wide-open access and creating your own VPN connections. Both services create secure connections to just about any device including: Windows, MacOS, Android, iOS, Linux (including Raspberry Pi), BSD, and some Network Attached Storage devices. The device reaches out to a central server or peer, establishing a private connection. Permitted users are then able to establish connections with that device. A club might have five administrators, all five would have provisioned accounts for access to their club’s remote site devices.

These services are freemium and proprietary (not open-source) but they do have self-hosted options. Once the service is up and running, close the administration service ports in the router. Configure the device to only accept connections for admin services on the ZeroTier or Talescale interfaces.

For web services, such as status pages or dashboards running on devices at remote sites, something to consider is a reverse proxy as an additional layer of protection. Normally: install and configure the device with a web server stack, install a dashboard or status page, port forward 80 & 443, then hand out an IP address to users or provide link on the club’s webpage to that device, maybe using a DNS/dynamic DNS entry. You’re off and running. The device remains exposed to the Internet. Miscreants could send random junk attempting to bypass authentication or flood the connection with bogus data, denying legitimate users’ access (denial of service).

A reverse proxy works by being the point at which users access the site. Cloudflare is one such reverse proxy service and offers a free tier for personal/hobby sites. The proxy inspects traffic to determine if it is legitimate. Legitimate traffic is allowed to pass onto the server. Illegitimate traffic is dropped and never seen by the server, protecting it from possible malicious traffic. An additional benefit is the real IP address of the server or device, at a site or at home, is not easily determined, making the device less unlikely to be exploited.

(cloudflare.com)

This protects the device in a different way from that of a private link or VPN like ZeroTier or OpenVPN. The web site is still accessible to anyone on the internet. Having visitor’s setup private links or VPNs for commonly accessible web services is not practical and not something a majority of users will not opt into freely.

The Cuyahoga Amateur Radio Society (CARS) asked for one of our technical presentations at their meeting on October 11th. I was able to give a presentation put together by Technical Specialist, Bob – K8MD, on DMR. He was out-of-town but I was able to give his presentation. There was plenty of questions and good discussion after the presentation. I brought one of my hotspots and a DMR radio to demonstrate the AmateurLogic.TV Sound Check Net on my multimode system. The net got started about when the meeting wrapped up which was perfect timing. If your club is interested in this or another technical topic, let me know!

I heard from many hams that found my Hamshack Hotline tip useful in last month’s OSJ, including ones outside our section. Yes, they are reading THE OHIO Section Journal =) Some updates: even long after the DNS entry was removed, phones apparently cached the IP address. Some reported their phone still had green lights though the admin interface contained the old DNS entry. With this information, the phone will likely remain working until rebooted. Additionally, as suspected, other domains were seen. Replacing hhux.wizworks.net with hhux.hamshackhotline.com also worked. Some replaced the entire string with only hamshackhotline.com, leaving off subdomains like hhus (as was shown) or hhux. This won’t work either. The subdomain must remain intact.

Thanks for reading and 73… de Jeff – K8JTK

Ohio Section Journal – The Technical Coordinator – October 2020 edition

One of the responsibilities of the Technical Coordinator in the Ohio Section is to submit something for the Section Journal. The Section Journal covers Amateur Radio related things happening in and around the ARRL Ohio Section. It is published by the Section Manager Scott – N8SY and articles are submitted by cabinet members.

Once my article is published in the Journal, I will also make it available on my site with a link to the published edition.

You can receive the Journal and other Ohio Section news by joining the mailing list Scott has setup. You do not need to be a member of the ARRL, Ohio Section, or even a ham to join the mailing list. Please sign up!

If you are an ARRL member and reside in the Ohio Section, update your mailing preferences to receive Ohio Section news in your inbox. Those residing outside the section will need to use the mailing list link above.
Updating your ARRL profile will deliver news from the section where you reside (if the leadership chooses to use this method).
Go to www.arrl.org and logon.
Click Edit your Profile.
You will be taken to the Edit Your Profile page. On the first tab Edit Info, verify your Email address is correct.
Click the Edit Email Subscriptions tab.
Check the News and information from your Division Director and Section Manager box.
Click Save.

Now without further ado…


Read the full edition at:

THE TECHNICAL COORDINATOR
Jeff Kopcak – TC
k8jtk@arrl.net

DSCF5081 K8JTKHey gang,

October is associated with a number of things: apple cider, fall weather, foliage displays, pumpkins, and Halloween costumes. One thing that might be gruesome, like some Halloween costumes, is most people’s cyber hygiene. Cyber hygiene relates to practices and precautions users take to keep their data safe and secure from outside attacks. October, in addition to the above, is Cybersecurity Awareness Month. It is a way to raise awareness about the importance of cybersecurity and give everyone resources to be more secure online.

uBlock Origin on mlb.com

First up, web browser. This is the portal and gateway to modern computing. A browser should be current, supported, and one that is updated. Current web browsers are ones like Chrome, Firefox, Microsoft Edge, and Opera. These are constantly being updated to support newer technologies, protect users, and eliminate known vulnerabilities. Don’t use a camera, microphone, or other accessories during browsing interactions? Disable access to them in the browser’s options. I’m not sure the last time I used a MIDI interface. Disabling it hasn’t affected my browsing in Chrome.

Browser extensions (or plugins): Limit the number of installed extensions and make sure they are also current and being updated. The one extension I have on every browser I use, including at work, is uBlock Origin. It is an excellent ad-blocker and does it very effectively. Additional features include ability to block other sources of vulnerabilities, such as scripts, large media items, like videos, and known bad domains. A lot of people love NoScript. It’s even better, security-wise, than uBlock Origin. However, like everything in security, there are tradeoffs. NoScript does what it says, block scrips like JavaScript because they are a major source of security problems. This is great in principle but it basically breaks every site on the Internet. Whitelisting necessary scripts to make a trusted site work, I think, is more effort than it’s worth. Choose the better option for you. For me, it’s uBlock.

Another good browser extension is HTTPS Everywhere. When a site is loaded over an unsecure connection, this extension upgrades it to a secure connection is one is available. Most severs configured by capable admins are now serving up HTTPS by default and redirecting HTTP connections to HTTPS. Finally, PrivacyBadger is good at blocking third-party tracking and browser fingerprinting. Browser fingerprinting is the ability for a site to interrogate the browser about the system it is running on. For example, which browser, is it accepting cookies, plugins installed, time zone, screen size and color depth, system fonts, language, OS and platform, touch device, and device memory. PrivacyBadger blocks sites from accessing many of these properties.

Bad sites: In August, I talked about the Pi-Hole security device. This device provides similar blocking to uBlock Origin but at the network level. Any browser plugins only add protection to sessions in that browser. It doesn’t block tracking, malware, or ads in other applications running on the PC. It doesn’t offer protection for any other device on the network such as phones, tablets, streaming, surveillance, and “smart” devices. That is where Pi-Hole comes in by blocking known bad domains at the network level. It will keep ads off smart TVs, Roku’s, and keep digital footprints to a minimum. A caveat, devices using hardcoded DNS servers (usually IoT, DNS over HTTPS) will bypass any Pi-Hole filtering. Routers that can perform NAT Redirection can re-route requests to Pi-Hole and block DOH.

If you don’t want to add a device like Pi-Hole, changing DNS servers in a home router will offer more protection. I recommend OpenDNS as a security focused DNS service. OpenDNS is free to use and enabled by simply setting Primary DNS and Secondary DNS to these IPs: 208.67.222.222 & 208.67.220.220 – does not matter which goes into primary/secondary. They do offer paid services which can categorically block sites and does require a little more setup. Another good DNS filtering service is “Quad 9” or 9.9.9.9 as the DNS server. These services block access to known infected sites made through DNS requests.

Password managers: sites do a relatively poor job of securing their user and password databases. On the other hand, users do a poor job of choosing strong passwords. We know this because of sites like Have I Been Pwned (pronounced “owned”) which search stolen password databases for associated Email addresses. Showing as ‘pwned’ on that site indicates the Email address was found in a database breach. Searching an old Email address of mine found two services I did not recognize. I suspect the data changed hands through company acquisition but, more likely, my information was sold to the highest bidder.

KeePass main window (keepass.info)

Lists are published of the most commonly used passwords from these breaches. Many are even easy to guess like 123456, password, qwerty, dragon, baseball, monkey, and letmein. A password manager will generate strong passwords and remember them so you don’t have to. In general, if you can remember passwords for services, you’re doing it wrong. It’s good to know the password for logging on to the computer and the password for your password manager. That’s about it anymore. Being able to remember passwords means they’re probably easy to guess. 55@[hg@owtWF(6eDOXR0 – is not be an easy to guess password, has lots of entropy, and would take around 1.15 thousand trillion trillion centuries to guess using one thousand guesses per second.

LastPass & KeePass will do the job of creating strong passwords and remembering (saving) them. Both of these password managers are considered best-of-breed because of their features, history of responding to issues quickly, and constantly squashing bugs. Other password managers do not have this reputation and most don’t offer adequate protection from attacks. LastPass is an online service. They have a free option but useful features will be found in the $3/month for single user and $4/mo. for families. If you don’t trust “the cloud” or want to manage your own password database(s) offline, KeePass is what you want.

Both have the ability to generate, store passwords, and save notes associated with an account. Largely they’re both available on multiple platforms in multiple browsers. LastPass apps tightly integrate many device types with their service. KeePass relies largely on the community to implement addons and create apps for platforms like Android. LastPass has nice features allowing sharing among family members or sharing banking credentials with a spouse. Another feature I like in LastPass is the ‘dark web’ monitoring and alerting for breached credentials. These alerts let you know it’s time to change that password. To retrieve stored usernames and passwords from a password manager, they’re copied and pasted from the app or automatically filled into a webpage using a browser extension.

LastPass interface (lastpass.com)

Both services require some sort of master password which MUST be remembered. LastPass gets its name from the password used to access their service as the ‘last password’ you’ll ever need. An easy way to generate such as password would be to find a famous speech, song, or lines from a movie. Take the first letter of each word, throw in some numbers, and voila! Strong master password. This method will create a password that is hard to crack but easy for you to remember. As an example, take the first line of the Gettysburg Address:

Four score and seven years ago our fathers brought forth upon this continent, a new nation, conceived in liberty, and dedicated to the proposition that all men are created equal.

Taking the first character of each word: Fsasyaofbfutc – even to the first comma is 14 characters and already on its way to being very strong. Get creative, maybe take the second or third letter of every word. Throw in some random capitalization. Then add maybe parts of an old phone number, an old address, old work address, old dorm room number, kids ages, etc. Then it becomes: FsasyaOfbfuTC219419216 – all of a sudden you have a password that takes 8.75 hundred trillion trillion centuries to guess. Sure, you’ll want to write down this password until its memorized. Destroy the written copy after it’s definitely committed to memory.

All this assumes there is no monitoring of the computer or device, no key logging, no intercepting communications, no monitoring the clipboard, etc. The strongest password does no good if it’s used on a compromised machine or used over an unsecure communication channel such as HTTP, FTP, or Telnet – which all use plain-text passwords.

Google Authenticator (play.google.com)

Should there be a situation where you can’t create a completely random password in a password manager or want to use a password that can be more easily remembered in certain situations (not your master password, that would be bad practice), use the xkpasswd generator. Inspired by an XKCD comic, it uses a method of random numbers and common words to create memorable passwords. The example they give: correcthorsebatterystaple – correct, horse, battery, staple.

Last practice I’ll mention this time around is use multifactor authentication. This is also commonly referred to as 2-factor authentication (2fa) or MFA. MFA uses more than one authentication method to validate identity. Usually consisting of something you know, a password, and something you have – a phone app or hardware token. This approach is an additional layer of authentication with the hope that miscreants don’t have access to one or more of those authentication methods. Good multifactor auth changes or rotates every time it’s used or changes after a set amount of time. Modern multifactor technology has been around for more than 15 years. Many companies are rapidly adopting it for all employees because they see value and it has proven to be a good way of keeping miscreants out of their systems. More and more services are adding two factor authentication.

Multi-factor works by going to site-I-login-to[dot]com. Enter your username and password. Usually after clicking log on, you are presented with a multi-factor prompt. Consisting of a pin that rotates frequently, clicking ‘approve’ in a mobile app, hitting a button on a hardware token, or being sent a unique code via SMS text or Email to enter into the site. A lot of services use SMS text messages and Emails. Those two should not be the primary multi-factor validation. SMS messages can be intercepted by miscreants who could have hijacked or cloned the SIM card from the carrier. If they have your password and hijacked SIM card, they might as well be you. Email is readily accessible to organizations hosting the mail server and often transmitted on the wire in the clear – though progress is being made to encrypt email messages in transit.

I like TOTP (time-based one-time password) solutions such as Google Authenticator on a phone or tablet. The password manager database is on the computer or in the cloud. The app lives on the phone, separate from the database. TOTP is an open standard, supported in nearly all services that offer multi-factor auth, doesn’t need a data connection, and isn’t stored anywhere except in a protected database on the phone. These passwords change every 30 seconds and are 6 digits long. In the case where a phone might get lost, there are “recovery” tokens that are generated at the time TOTP is configured. Where should the recovery tokens should be stored? They can be printed and stored in safe, or use your new password manager to secure them!

Scrap Value of a Hacked PC (krebsonsecurity.com)

It’s a couple years old, but Krebs on Security’s Scrap Value of a Hacked PC takes a look at all the things miscreants could do with information learned from a compromised machine. Things like hostage attacks through ransomware (encrypt files and demand payment to decrypt) and reputation hijacking of the social medias or credit scores. Brian’s site is also entertaining reading for taking a peek into the ‘dark web’ on things criminals do with stolen data and credit cards. Other useful security tools are Security Planner which walks you through creating a customized security plan based on interests and goals. PrivacyTools provides tools and knowledge for protection against mass surveillance. These steps and suggestions from known good resources will greatly improve your cyber hygrine for Cybersecurity Awareness month.

Thanks for reading and 73… de Jeff – K8JTK

Ohio Section Journal – The Technical Coordinator – February 2020 edition

One of the responsibilities of the Technical Coordinator in the Ohio Section is to submit something for the Section Journal. The Section Journal covers Amateur Radio related things happening in and around the ARRL Ohio Section. It is published by the Section Manager Scott – N8SY and articles are submitted by cabinet members.

Once my article is published in the Journal, I will also make it available on my site with a link to the published edition.

You can receive the Journal and other Ohio Section news by joining the mailing list Scott has setup. You do not need to be a member of the ARRL, Ohio Section, or even a ham to join the mailing list. Please sign up!

If you are an ARRL member and reside in the Ohio Section, update your mailing preferences to receive Ohio Section news in your inbox. Those residing outside the section will need to use the mailing list link above.
Updating your ARRL profile will deliver news from the section where you reside (if the leadership chooses to use this method).
Go to www.arrl.org and logon.
Click Edit your Profile.
You will be taken to the Edit Your Profile page. On the first tab Edit Info, verify your Email address is correct.
Click the Edit Email Subscriptions tab.
Check the News and information from your Division Director and Section Manager box.
Click Save.

Now without further ado…


Read the full edition at:

THE TECHNICAL COORDINATOR
Jeff Kopcak – TC
k8jtk@arrl.net

DSCF5081 K8JTKHey gang,

Well. Windows 7 reached end-of-life on January 14, 2020. Systems didn’t meltdown. Internet is still running. The world didn’t end. Reaching “end of life” in Information Technology verbiage means the vendor no longer supports the software (or hardware in other cases), won’t provide security updates, and won’t fix bugs or problems. End-of-life (often abbreviated “EOL”) also implies there is a more recent version or iteration that is supported for those things mentioned above. Supported as opposed to the developer throwing in the towel or the company going out of business where there are no updates for other reasons. Windows 7 was my favorite version of Windows – the look and feel was nice, functionally made sense, and it was fast. Reality is that computers running Windows 7 will continue to work as they always have, but start considering alternatives.

No: Windows 7 will not stop working, you don’t need to run out and buy a Windows 10 computer, your files won’t be removed, past Windows 7 updates won’t be pulled from Windows Update, ISPs won’t disconnect you from the Internet for using Windows 7, caches of Windows 7 exploits will not be unleashed.

As with all past Microsoft operating systems, patches and updates will be available on their website and through the Windows Update service for all EOL operating system versions. An install of Windows 2000 can still receive all updates until it went EOL. No updates will be available to implement the latest in encryption enhancements, support newer hardware or protect from newer exploits found in the OS. One thing to note about Windows 7 is there were updates to the Windows Update process during its lifetime. You will run into problems updating a fresh Windows 7 install through the regular Windows Update process.

Your ISP won’t disconnect you for using older versions of Windows. The company you work for will most likely update your machine if it hasn’t been done already. This depends on license and support agreements with Microsoft or reseller. Most companies actively replace equipment to comply with those agreements, replace depreciated assets, and keep equipment current as a way to mitigate exploits that propagate through older operating system configurations.

Yes: you need to stop using Internet Explorer, you can still get the free upgrade from Windows 7 to Windows 10 (for now), you can dismiss the full page Windows 10 update nag screen, you need to patch Windows 7, extended patches from Microsoft are available for a fee, there are third-party alternative patching systems; software, devices, and browsers will continue to work, most programs will still support Windows 7 – at least in the short term.

For the love of all that is holy, stop. using. Internet Explorer. Not only is it riddled with bugs and security flaws, Microsoft keeps flailing round with standards even in Microsoft Edge, which is never a good sign. Chrome is the market leader at over 80% and reports suspected security issues to Google for mitigation or blocking in the browser. However, if you’re not a fan of “the Goog” knowing everything you view on the Internet or heavy-handed implementations in the name of security, alternatives are: Firefox the favorite with Linux users, the privacy focused Brave browser, or Opera if you want to be a one-percenter.

Microsoft offers extended patching (with associated fees) for Windows 7, usually for corporate customers. Consumers can get in on the action but they make it very complicated. Third-party patching is available through companies such as 0patch. The service is free for personal use and non-profit educational use. There are good reviews and many recommendations to use this service. Using these services requires a certain level of trust leaving the responsibility of fixing complex programs to a third-party – because we all know Microsoft has NEVER had problems getting their updates right.

Early Microsoft Windows 10 free update notification aimed at tricking the user into installing software they don’t want, similar tactics are used by spyware authors

The nag screen which recently started (re)appearing for Windows 7 users, reminding them to upgrade, can be dismissed. Click the text that says “Don’t remind me again” – and it actually seems to work as opposed to the weird mind games that were played during the initial push after Windows 10 was launched. Displaying this message raised awareness and reminded users about the impending DOOM of end-of-life. Continuing to offer the free upgrade is an incentive for moving users to a supported OS. Netmarketshare shows Windows 7 utilization is still around 25-30% or about 1-in-3 computers still runs Windows 7.

I was contacted by Jeff – KA8SBI who felt there was a lot of F.U.D. about Windows 7 EOL in the media and he is content using his Windows XP machine. He pointed out “A lot of security flaws have been in the browser.” A small number of browsers still support XP. Anti-malware and anti-virus programs still offer older operating system support as well.

Here’s the argument against running old and outdated crap on the Internet. I am of the school of thought that if you’re connecting any device to a larger network (ie: the Internet), that device (computer, Raspberry Pi, router, switch, server, security camera, TV, printer, DVR, repeater, hotspot, phone, car) must have currently supported operating systems and software. It is each user’s responsibility on the network to be good citizens, follow best practices, and not act as a conduit for spreading malware and exploits. The most effective way to do this is by keeping devices updated and current.

The argument can be made that ‘manufacturers force consumers to buy new devices by not providing any updates.’ Everyone wants their stuff cheap and buying cheap crap leads to these problems. Manufactures barely break-even on most devices let alone leave any extra for updates beyond initial device release. Consumers want to use the device well beyond its serviceable life too. A report released by the Commerce Department outlined things manufactures should do to reduce the number of attacks. It made some good points but was mostly vague [updated link for the report].

Jeff’s point about third-party anti-virus and anti-malware programs that still support XP is a valid one and will help. I stopped and don’t recommend using third-party anti-virus because they were found to downgrade the security of an encrypted session, like ones established during financial transactions, interacting with health care providers, or really almost all Internet communications today.

Remember, though, nothing is ever 100% secure. Secure just means there are no known vulnerabilities – until a researcher or hacker finds one. To Jeff’s point about the flaws being in the browser, the number that exist in the underlying operating system and supporting technologies including OS kernel, .NET framework, Office, database engines, media players, and graphics interpreters are just as important. Microsoft has never completely rebuilt Windows from scratch which is why vulnerabilities often apply across all versions of Windows. It’s the same underlying computer code. Search for stories about important Windows patches. It will often include some verbiage like ‘affects all versions of Windows.’ Some exploits are deemed so bad that Microsoft actually went back and patched some EOL versions, like XP. That does not mean there are no other vulnerabilities because there is no patch. Microsoft is not spending resources on an 18-year-old piece of technology. Non-patched issues still make a system vulnerable and less secure overall.

Ransomware is malware that encrypts files of importance on a system. That is things like downloads, programs, documents, PDFs, spreadsheets, pictures, movies, intellectual property, databases, or public records on local and network attached storage devices. Encryption renders these files unreadable and unusable. The malware then demands a ransom payment to obtain the decryption key and restore files to their usable state. Ransomware is lucrative for the bad guys because no one has effective backups of their data. Various companies, schools, health care, manufacturing, oil and gas, infrastructure, and municipalities have all been infected with ransomware and often pay the ransom. It is an economic trade-off between how much of a payment are the bad guys demanding versus time and effort it would take to restore their systems. Do a search for “ransomware attack” in your favorite search engine and browse the stories to get an idea of the scope and effectiveness of ransomware.

One thing that caused me pause around the details of the ransomware attack on the Georgia Department of Public Safety was a comment about the communication systems being affected. Believe it or not, their old radio system was still functional. This got me thinking about the radio system that covers the state of Ohio or regional systems and how they could easily be taken offline because of this type of attack. I have no knowledge of any instances where these systems were involved in such an attack – this is simply theoretical. As evidenced by the news story, it’s realistic to believe these attacks can take down a state-of-the-art radio communications system. Could be due to a targeted attack, a single computer where someone clicked a malicious link, someone viewed an infected attachment in a dispatch center, or even because of an infected authorized vendor or reseller of radio equipment for the system. Target anyone? It was an HVAC vendor that was compromised which lead to Target’s massive credit card breach. How many public service agencies still have their old/analog communication systems functional to fall back on if something like this took place?

Ransomware infections are utilizing and spreading through the EternalBlue exploit and BlueKeep exploit. EternalBlue, in particular, is present in all versions of Windows (see?) back to Windows 95!! It targets and attacks weak configurations of the SMB (Server Message Block) protocol used for sharing files, printers, and devices between hosts on a network. Microsoft has patched all versions back to Windows XP, even though XP is EOL. Win95, Win98, WinNT, and Win2000 were never patched and won’t be patched. The EternalBlue vulnerability still exists in fully patched systems running those operating systems.

Impending DOOM

I will keep using Windows 7 in the shack and as my Virtual Machine OS when I need a Windows VM. It will get replaced eventually. The reason I replace it will probably come due to loss of functionality, loss of application or hardware support for a particular program or device I want to use. Firefox was noted for supporting older operating systems. However, after 3 years of extended XP support, Firefox dropped support due to low usage and significant development time being devoted to working around issues in the operating system instead of providing enhancements on supported platforms. Sooner-than-later Windows 7 support will be dropped in favor of more recent and supported platforms.

Don’t have to jump ship on Windows 7 now unless there is a specific reason. Maybe a new computer device purchase is imminent, which will include Windows 10. Or if it’s desired to still use the old machine, maybe consider a move to a supported version of Linux!

Windows 7 is dead, long live Windows 7!

2020 ARRL Great Lakes Convention

The Great Lakes Division Convention and Hamfest 2020 sponsored by the Toledo Mobile Radio Association will be here soon. It is a two-day event with ARRL Great Lakes Convention Forums on Saturday, March 14, 2020 followed by the Toledo Hamfest on the 15th. I’ve been asked to give two presentations back-to-back on Saturday. Tentatively, the first on the Raspberry Pi and how it became a popular device with makers followed by NBEMS philosophy. I’m very proud of both presentations. The NBEMS philosophy has been presented as training in the Ohio Section and adopted by other ARES groups in other Sections. Details, locations, times, and tickets are all available on the convention’s website. Hope to see you there!

Thanks for reading and 73… de Jeff – K8JTK

Ohio Section Journal – The Technical Coordinator – July 2018 edition

One of the responsibilities of the Technical Coordinator in the Ohio Section is to submit something for the Section Journal. The Section Journal covers Amateur Radio related things happening in and around the ARRL Ohio Section. It is published by the Section Manager Scott – N8SY and articles are submitted by cabinet members.

Once my article is published in the Journal, I will also make it available on my site with a link to the published edition.

You can receive the Journal and other Ohio Section news by joining the mailing list Scott has setup. You do not need to be a member of the ARRL, Ohio Section, or even a ham to join the mailing list. Please sign up!

If you are an ARRL member and reside in the Ohio Section, update your mailing preferences to receive Ohio Section news in your inbox. Those residing outside the section will need to use the mailing list link above.
Updating your ARRL profile will deliver news from the section where you reside (if the leadership chooses to use this method).
Go to www.arrl.org and logon.
Click Edit your Profile.
You will be taken to the Edit Your Profile page. On the first tab Edit Info, verify your Email address is correct.
Click the Edit Email Subscriptions tab.
Check the News and information from your Division Director and Section Manager box.
Click Save.

Now without further ado…


Read the full edition at: http://arrl-ohio.org/news/2018/OSJ-Jul-18.pdf

THE TECHNICAL COORDINATOR
Jeff Kopcak – TC
k8jtk@arrl.net

DSCF5081 K8JTKHey gang,

Around the time of Dayton, the FBI asked everyone to reboot their routers. Why would they do that? Over the last two years more than 500,000 consumer and small business routers in 54 countries have become infected with a piece of malware called “VPNFilter.” This sophisticated malware is thought to be the work of a government and somewhat targeted with many of the infected routers located in Ukraine.

Src: Cisco’s Talos Intelligence Group Blog

Security researchers are still trying to determine what exactly VPNFilter was built to do. So far, it is known to eavesdrop on Internet traffic grabbing logon credentials and looking for specific types of traffic such as SCADA, a networking protocol controlling power plants, chemical plants, and industrial systems. Actively, it can “brick” the infected device. Bricking is a term to mean ‘render the device completely unusable’ and being as useful as a brick.

In addition to these threats, this malware can survive a reboot. Wait, didn’t the FBI ask all of us to reboot our routers? Won’t that clear the infection? No. In order for this malware to figure out what it needs to do, it reaches out to a command-and-control server. A command-and-control server issues commands to all infected devices, thus being “controlled.” C&C, as they are often abbreviated, allows the bad guys in control a lot of flexibility. It can allow infected devices to remain dormant for months or years. Then, the owner can issue commands to ‘wake-up’ the infected devices (called a botnet) and perform intended tasks. Tasks can range from attack a site, such as DynDNS which I wrote about in November of 2016, to steal logon credentials for users connected to the infected router. Back to the question, the FBI seized control of the C&C server. When an infected router is rebooted, it will try to reach out to the C&C server again but instead will be contacting a server owned by the FBI. This only gives the FBI a sense of how bad this infection is. Rebooting will not neutralize the infection.

Affected devices include various routers from Asus, D-Link, Huawei, Linksys, MikroTik, Netgear, TP-Link, Ubiquiti, Upvel, and ZTE, as well as QNAP network-attached storage (NAS) devices. There is no easy way to know if your router is infected. If yours is on that list, one can assume theirs is infected. As if that wasn’t bad enough, many manufactures don’t have firmware updates to fix the problem. The ones that have fixed the problem did so years ago. Since no one patches their routers, that’s why there’s half a million infected.
First thing to do is gather information about the make, model, and current firmware of your router. Then check for announcements from the manufacturer about affected firmware versions or preventative steps. The only known way to clear this infection is to disconnect it from the Internet, factory-reset the router, upgrade the firmware (if one is available), and reconfigure it for your network – or simply throw it away.

If those last couple words strike fear into your heart, there are a couple options:

  • See if your ISP has a device they will send or install for you. It can be reasonably assumed that devices provided or leased by the ISP will be updated by the ISP.
  • Find someone in your club that knows at least the basics of networking to help reconfigure things
  • Many newly purchased devices come with some sort of support to get you up and running

If you’re a little more advanced and want to learn more about networking:

  • EdgeRouter-X
    Use 3rd party firmware. Currently they are not showing signs of being vulnerable to VPNFilter or other infections. 3rd party firmware projects are often maintained by enthusiasts. They are updated LONG past when the manufacturer stops supporting their own products and updates often happen quickly. Some of those projects include: OpenWRT/LEDE, DD-WRT, or Fresh Tomato.
  • A Linux box could be setup with Linux packages to mimic router functionality or use a distribution such as pfSense or OPNsense.
  • Another great device to use is the Ubiquity EdgeRouter-X for $49.
  • Check the “Comparison of Firewalls” for other ideas.

That $5 hamfest deal isn’t sounding so great anymore. It’s the law of economics for these companies too. $10, $30, or $100 for a device isn’t going to sustain programmer’s time to find, fix, troubleshoot, test, and release firmware updates for a 7-year-old device. It’s a struggle. I think it will come down to spending more on better devices which will be upgraded longer or spend $50-$100 every 3-5 years to replace an OK one.

The Department of Commerce released a report on the threat of botnets and steps manufactures could take to reduce the number of automated attacks. It hits on a number of good points but lacks many details. “Awareness and education are needed.” Whose responsibility is it to educate? I can write articles in the OSJ but I’m not going to be able to visit everyone’s house and determine if your devices are infected. “Products should be secured during all stages of the lifecycle.” Automated updates could take care of this problem but doesn’t address what-ifs. What if the update fails or worse yet, bricks your “Smart” TV as an example? Who is going to fix or replace them? Will they be fixed if it’s out of warranty? Not to mention operating system “updates” are bundled with more privacy violations and ways to monetize users.

There’s a lot of work to be done. I wish I had the answers. Regardless, we all need to be good stewards of the Internet making sure ALL attached devices are updated and current.

More technical details on VPNFilter and citation for this article: https://www.schneier.com/blog/archives/2018/06/router_vulnerab.html
https://blog.talosintelligence.com/2018/05/VPNFilter.html

Finally this month, thank you to all the clubs and groups that sent messages to this station via WinLink or NTS over Field Day weekend. It was the most I’ve ever received, about 12 – 15 messages altogether.

Thanks for reading and 73… de Jeff – K8JTK

Ohio Section Journal – The Technical Coordinator – January 2018 edition

One of the responsibilities of the Technical Coordinator in the Ohio Section is to submit something for the Section Journal. The Section Journal covers Amateur Radio related things happening in and around the ARRL Ohio Section. It is published by the Section Manager Scott – N8SY and articles are submitted by cabinet members.

Once my article is published in the Journal, I will also make it available on my site with a link to the published edition.

You can receive the Journal and other Ohio Section news by joining the mailing list Scott has setup. You do not need to be a member of the ARRL, Ohio Section, or even a ham to join the mailing list. Please sign up!

If you are an ARRL member and reside in the Ohio Section, update your mailing preferences to receive Ohio Section news in your inbox. Those residing outside the section will need to use the mailing list link above.
Updating your ARRL profile will deliver news from the section where you reside (if the leadership chooses to use this method).
Go to www.arrl.org and logon.
Click Edit your Profile.
You will be taken to the Edit Your Profile page. On the first tab Edit Info, verify your Email address is correct.
Click the Edit Email Subscriptions tab.
Check the News and information from your Division Director and Section Manager box.
Click Save.

Now without further ado…


Read the full edition at: http://arrl-ohio.org/news/2018/OSJ-Jan-18.pdf

THE TECHNICAL COORDINATOR
Jeff Kopcak – TC
k8jtk@arrl.net

DSCF5081 K8JTKHey gang,

So nothing really tech news related happened this month. Eh, not so much. The New Year brought two major flaws in nearly every modern microprocessor: Meltdown and Spectre.

In the past, major security issues were able to be corrected through software or firmware updates. This is because almost everything is now run by small amounts of software and can be easily updated. Design issues are harder to fix because the problem is fundamental to the design of a device.

Description from Meltdownattack.com:

Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware vulnerabilities allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.

Meltdown and Spectre work on personal computers, mobile devices, and in the cloud. Depending on the cloud provider’s infrastructure, it might be possible to steal data from other customers.

Meltdown affects nearly all Intel microprocessors manufactured since 1995. In modern computing, an operating system “kernel” handles all interactions between applications (web browser, word processing, spreadsheets) and hardware (CPU, memory, network, USB devices). By its nature, the kernel must know everything about system interactions.

CPUs have different operating modes. Two modes apply to Meltdown: unprotected (called kernel mode) and user mode. Kernel mode has access to everything while instructions executed in user mode should not have access to the same memory as the kernel.

Meltdown is the demonstration of an unauthorized user mode process accessing kernel mode memory. This means a user process can access information to which it doesn’t have permission. Think of systems that share data among many users like an online cloud service. Isolation techniques are one of the major selling points of the cloud. Multiple users can be using the same physical hardware and not impact or know anything about other users also using the same hardware. A malicious process could use meltdown to access the data of other people’s applications running on the same device.

Spectre affects nearly all microprocessor implementations of speculations and predictions. In an effort to make systems run faster, a huge amount of speculative processing is engineered into processors. Speculation is the processors answer to the question: what is most likely to happen with this instruction set? Being able to “guess” the right answer provides a massive performance boost and we all want fast systems. To explain one part of this vulnerability, consider two math equations are given to a microprocessor:

a + b = c
d + e = f

The processor will recognize calculation of the second equation does not depend on anything from the first equation. This means the processor will execute these equations simultaneously until it reaches a common dependency. That dependency would be something like:

a + b = c
(d + e) * c = g

The answer c is used as an input into the computation of the second equation. Running this set through the processor would be slower because they couldn’t be calculated simultaneously. An input into the second equation is dependent on the answer to the first.

Using the same equations, let’s assume for everyone in the Ohio section, the answer to c = 5. A programmer could write an instruction set following that calculation to say: if c = 5 then take fork #1, otherwise take fork #2. How do humans know which fork to take? Calculate the value of c. However, processors try to use “speculative execution” to perform the work of both forks before it knows the answer to c.

Let’s add super-secret data to fork #1: “the Ohio Section IS the best section.” We don’t want fork #2 to know anything about that data because it might be someone from another section trying to break-in. A processor would execute both fork instruction sets speculating on the outcome. This speculation could allow someone from another section to see our secret in fork #1 when they should only see something else in fork #2. Consider a malicious smartphone application taking advantage of this to access text messages, instant messages, mobile baking data, or critical documents.

The lengthy process of dealing with these issues has begun. The only way to truly “fix” these problems is to design new CPUs architectures and replace existing ones. Yeah, sure. Remember, these issues are fundamental to processor design. If these flaws are ever corrected, it will be over a period of time – not tomorrow, next week, or even next year. In the meantime, operating systems are implementing methods to prevent attacks.

In the rush to get these fixes out, as one might expect, more problems are being caused. Microsoft has reported issues with anti-virus applications not playing nice and claiming AMD’s documentation was incomplete. Ubuntu 16.04 users had issues forcing them to roll back the kernel. In addition to all this, processor performance is impacted. Testing done on operating system patches shows slowdowns of 2% – 30%.A forum post on Epic Games included the above graph showing CPU usage of 3 cloud servers. After their cloud provider patched one server at about 23:00, CPU utilization of that server increased nearly 2.5x over the other two. Though the CPU wasn’t maxed out, it was enough to cause service disruption. Gamers really don’t like it when their services don’t work.

For most users, stay current with system patches and updates. In particular, Microsoft is requiring anti-virus programs to set a registry key before Windows will apply system updates. As of this writing, if you do not run, have an out-of-date, or have a non-compliant anti-virus application, your system will NOT receive any future Windows updates including the patches for Meltdown and Spectre. Current versions of Windows can run the free Windows Security Essentials available for Windows 7 or Windows Defender is included in Windows 8, 8,1, and 10.

Bruce Schneier, a well-known cryptographer and security researcher states: “… more are coming, and they’ll be worse. 2018 will be the year of microprocessor vulnerabilities, and it’s going to be a wild ride.” Link to his blog post.

More information:

https://meltdownattack.com/ – research papers, technical information, FAQ, videos in action, and info from companies affected.

https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)
https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)

Thanks for reading and 73… de Jeff – K8JTK

Ohio Section Journal – The Technical Coordinator – October 2017 edition

One of the responsibilities of the Technical Coordinator in the Ohio Section is to submit something for the Section Journal. The Section Journal covers Amateur Radio related things happening in and around the ARRL Ohio Section. It is published by the Section Manager Scott – N8SY and articles are submitted by cabinet members.

Once my article is published in the Journal, I will also make it available on my site with a link to the published edition.

You can receive the Journal and other Ohio Section news by joining the mailing list Scott has setup. You do not need to be a member of the ARRL, Ohio Section, or even a ham to join the mailing list. Please sign up!

If you are an ARRL member and reside in the Ohio Section, update your mailing preferences to receive Ohio Section news in your inbox. Those residing outside the section will need to use the mailing list link above.
Updating your ARRL profile will deliver news from the section where you reside (if the leadership chooses to use this method).
Go to www.arrl.org and logon.
Click Edit your Profile.
You will be taken to the Edit Your Profile page. On the first tab Edit Info, verify your Email address is correct.
Click the Edit Email Subscriptions tab.
Check the News and information from your Division Director and Section Manager box.
Click Save.

Now without further ado…


Read the full edition at: http://arrl-ohio.org/news/OSJ-October-17.pdf

THE TECHNICAL COORDINATOR
Jeff Kopcak – TC
k8jtk@arrl.net

DSCF5081 K8JTKHey gang,

October is National Cyber Security Awareness Month. I either made your eyes roll because security can be complicated or piqued your interest because of the TWO Equifax breaches. I can certainly get into the weeds with data and cybersecurity because it’s an interest of mine – as a user and programmer. Realizing that most readers won’t have a background in programming or system administration, I’ll set aside the technical details. I’ll briefly cover some cybersecurity issues and give tips anyone reading this article can use.

The whole concept of computing is built on trust. The list of things we trust is infinitely long: trust programmers of the operating system and program developers are following good practices. Trust the company stands behind their product, fixing problems and issues. Trust “Information Security Officers” of a company actually have a background in information security. Trust audits are taking place to uncover problems. Trust customer data is being stored in accordance with good security practices. Trust the website you’re browsing to is really CompanyWebsite.com. Trust “[insert name of company here] Free Wi-Fi” is really that company’s free Wi-Fi. Trust that devices in your home aren’t spying on you. You start to get the idea.

Security is a tradeoff between safety and convenience. Computing could be made very secure but those systems would be completely unusable due to the layers of security. There is no such thing as a “completely secure” system or device – it just means the mistakes, problems, and bugs haven’t been found yet. “Shellshock” is considered to be a very severe security bug. Disclosure came in September of 2014. This bug affected millions of servers connected to the internet. It was determined the bug, in some form, had existed in the UNIX (and Linux) command-line interface since 1989.
Humans program computers. Humans use computers. Humans make mistakes.

Hackers leverage these mistakes and use them to their advantage, often to gain unauthorized access. The word “hacker” has two meanings. “White-hat hackers” are the ones who experiment with and modify devices and software to make it work better. Hams are examples of these because we take commercial gear and make repeaters or use off-the-shelf routers for things like Mesh networking. “Black-hat hackers” are the bad guys and the ones we hear about on the news stealing credit card data from Target and personal data from Equifax. These are the ones I will be referring to.

Hollywood gives us the perception that hackers are in some 3rd-world country or in a dark basement, no lights, and only the glow of their computer screens. Hackers come from all parts of the world and sometimes are acting on a government’s behalf. In fact, legitimate companies exist solely to sell their black-hat hacking tools. They have buildings, employees, call centers, and help desks – as does any legitimate company.

What’s the motivation behind hacking?

Money. It’s hard not to tie everything back to money. The first reference to malicious hacking was “phreaking” (pronounced freaking. AKA: phone hacking) where one of the goals was to manipulate the public phone system and use it to make long-distance calls when it was very expensive to call around the world. More recent financial examples include everything from disrupting nation-states (economic), blackmail, and ransom payments for access to data. Ransomware encrypts all documents and pictures. It demands payment before it will (hopefully) decrypt your files allowing you to use those files again. Ransomware utilizes the same technology, strong encryption, which you use to securely transact with your bank online.

My social media, computer, or online account has no value [to me] / I only check email / I don’t store anything on my computer / why would anyone want access to my email or computer?

I hear these alot. Many of us don’t realize all the things a bad guy can do with computer access or an email account. Brian Krebs is a blogger who covers computing security and cybercrime on his website Krebs on Security. He is known for infiltrating underground cybercrime rings and writes about his experiences. His site is highly recommended reading for anyone with an interest in cybersecurity.

Brian posted two articles titled “The Value of a Hacked Email Account” and “The Scrap Value of a Hacked PC…” When signing up for any online service, an email address is almost always required. In 2013, according to Brian’s article, hackers who have access to email accounts can subsequently gain access to other services such as iTunes and sell that access for $8 each. FedEx, Continental, United accounts go for $6. Groupon, $5. Hosting and service accounts like GoDaddy, AT&T, Sprint, Verizon Wireless, and T-Mobile, $4 apiece. Facebook and Twitter accounts were $2.50/ea.

Aside from the monetary value, bad guys have access to family pictures, work documents, chat history, can change billing and deposit addresses on banking accounts, drain financials like 401K, bank or stock accounts, and target other individuals like family members. In 2012, a hacker went after Wired journalist Mat Honan locking him out of his digital life. The attacker used flaws in Amazon and Apple’s services, which helped them gain access to Mat’s Gmail and ultimately his Twitter account.

Access to a personal computer can be gained through a number of schemes including: fake ‘you have an out-of-date plugin/flash version’ on a webpage, receive an email about a past due invoice, notification of a problem with some shipment, or by innocently installing a program thought to be legitimate. A recent example of a compromised program was the widely popular PC maintenance program, CCleaner. Untold millions of people unknowingly downloaded a malicious version of the program from the vendor’s site.

A hacked PC can be used for: generating email spam, harvesting other accounts (see above), gain access to a work network, steal online game keys and characters, be part of a Denial of Service attack, infect other devices on the network (like DVRs), create fake eBay auctions, host child porn, capture images from web-cams or network cameras and use them for extortion purposes.

What can I do to protect myself?

Unfortunately in situations of compromise like Target and Equifax, there was nothing you could do – other than not use a credit card at Target or not apply for any kind of credit reported to Equifax. Unlikely for many. You can only react after-the-fact by closing accounts with fraudulent charges and place credit warnings or freezes on your credit.

The SANS Institute, which specializes in information security and cybersecurity training, offers a “monthly security awareness newsletter for everyone” called “Ouch!” Their October 2017 newsletter outlines five steps to help anyone overcome fears and securely use today’s technology. Check the newsletter for more information on these points.

  1. Social Engineering: is an old technique which creates a sense of urgency to tick people into giving up information they shouldn’t: someone needs money quickly, boss needs a password, the IRS is filing suit against you, Microsoft Tech Support calls you about a “virus” on your computer, etc. Never give a password, any personal information, or remote access to any solicitor.
  2. Passwords: Create unique, strong passwords for all online devices and online accounts. Use a password manager which will assist in creating strong passwords. LastPass utilizes a web interface and cloud storage, KeePass is an application and stores the database locally on your computer. Both are excellent solutions for a password manager.
    If you’re uncomfortable with a password manager, use pass-phrases which are passwords made up of multiple words. Passphrases can be written down, but store these in a secure location. Use two-step verification, often called two-factor authentication. Two-factor authentication (2FA) is a combination of something you know (your password) and something you have (a smartphone). A list of services offering 2FA with instructions can be found at: twofactorauth.org. Note: text messages are NOT a secure two-factor method because the cellphone network is not secure and attackers have been able to re-route text messages.
  3. Patches: Put all devices connected to the Internet behind a firewall (router) and keep all systems connected to the internet up-to-date. This includes home routers, computers, smartphones, tablets, streaming media devices, thermometers, Raspberry PIs, lights, automation systems, speakers, and video cameras. If devices are not being updated by the vendor, potentially dangerous mistakes are not being fixed. It’s time to consider better devices.
  4. Anti-virus: can protect you when you accidentally click on the thing you shouldn’t have and infected your system. It won’t protect against every form of infection. Windows Defender, available for all current Windows operating systems, is sufficient.
  5. Backups: I cannot stress this enough, backup, backup, backup! Many times I’m asked something similar to: ‘how can I recover my daughter’s wedding pictures from my computer’s crashed drive?’ Maybe you can, but often not. ‘I lost my phone, didn’t have cloud backup enabled, and had vacation pictures on there.’ Yea, they’re really gone. Backups serve as a way to recover from your own mistakes like accidentally deleted files and ransomware cyberattacks. A “3-2-1 backup strategy” includes 3 copies of your data, 2 on different media, 1 off-site. For most of us, this means: the original data is the 1st copy, an external hard drive (disconnected when not copying data) or network storage drive houses the 2nd copy, and a copy on a USB flash drive stored at work or backed up using a cloud backup solution – is the off-site 3rd copy.

A layered approach to security is considered best practice. As an example, creating strong passwords AND using two-factor authentication. The more layers the better, but more layers means less convenience. Brian Krebs also offers his “Tools for a Safer PC” which includes switching to OpenDNS in your home router. DNS is the service that turns human-readable URLs into IP address. OpenDNS blocks communication with known malware sites.

Hopefully this information has grabbed your attention and guided you to take steps to become safer online. Thanks for reading and 73… de Jeff – K8JTK

Imgs: Krebs on Security, Ars Technica.

Ohio Section Journal – The Technical Coordinator – February 2016 edition

One of the responsibilities of the Technical Coordinator in the Ohio Section is to submit something for the Section Journal. The Section Journal covers Amateur Radio related things happening in and around the ARRL Ohio Section. It is published by the Section Manager Scott – N8SY and articles are submitted by cabinet members.

Once my article is published in the Journal, I will also make it available on my site with a link to the published edition.

You can receive the Journal and other Ohio Section news by joining the mailing list Scott has setup. You do not need to be a member of the ARRL, Ohio Section, or even a ham to join the mailing list. Please sign up!

If you are an ARRL member and reside in the Ohio Section, update your mailing preferences to receive Ohio Section news in your inbox. Those residing outside the section will need to use the mailing list link above.
Updating your ARRL profile will deliver news from the section where you reside (if the leadership chooses to use this method).
Go to www.arrl.org and logon.
Click Edit your Profile.
You will be taken to the Edit Your Profile page. On the first tab Edit Info, verify your Email address is correct.
Click the Edit Email Subscriptions tab.
Check the News and information from your Division Director and Section Manager box.
Click Save.

Now without further ado…


Read the full edition at: http://n8sy2.blogspot.com/2016/02/february-issue-of-ohio-section-journal.html

THE TECHNICAL COORDINATOR
Jeff Kopcak – TC
k8jtk@arrl.net

DSCF5081 K8JTKHey Gang,

I was contacted this month by someone concerned that Fldigi would install a “trojan” on their computer and wanted to know where to get a clean download of the program. Before panic sets in, there is no reason to smash your hard drives. Why did I receive this question? I’ll explain the tech behind the issue.

The place that Fldigi, Flmsg, Flrig, and all other applications are now hosted is at a place called SourceForge (also abbreviated “SF”). SourceForge is a web service launched in 1999 that offers tools for developers to manage their projects for free. They host source code (for those who wanted to read, audit, modify, or learn from raw code), web pages for the project, mirrors (hosting in multiple locations in case any-one server is down), bug tracking, and many other features. It was the place for hosting free and open-source software. A ton of very well-known projects were (some still are) hosted on SourceForge: Apache Server, GIMP, OpenOffice, Firefox, Thunderbird, Audacity, Filezilla, Drupal, WordPress, JT65-HF… list goes on.

Some users were discouraged by the number of advertisements on the site. Though it is an ad-supported free service, there weren’t any viable alternatives.

In July 2013, SourceForge created an optional service available to developers called “DevShare.” Any developer who participated in the service would knowingly push additional unwanted programs to anyone downloading their project. This is commonly referred to as ‘crapware’ encompassing adware, download managers, antivirus programs, browser toolbars, homepage modifications, search engine replacements, and the like.

In May 2015, it was reported that SourceForge seized control of what they considered ‘deprecated or abandoned’ Windows projects. In taking control, they locked out the developer and “updated” project downloads to push similar ad-supported content.

This is a problem because the open-source community is just that, a community. They are made up of enthusiasts that like developing programs. Much like ham radio, they donate their time and do it for free. When a company takes the good name of a well-known project and tarnishes it by installing adware on users’ computers, this doesn’t go over well with the community. Their business practices effectively destroyed what was left of SourceForge’s reputation.

The DevShare project started a movement within the community to find replacements for SourceForge; GitHub primarily. SF since stated they are not taking control of unmaintained projects. It was too-little, too-late. Many developers deleted their projects from SF and moved their content elsewhere. It is up to each developer to make a decision about their project. I’ve provided links at the end of the article that go more in-depth for those into tech stories. SourceForge is not the only site that bundles crapware in downloads. Download sites like CNet’s Download (dot) com and many other free file hosting services also push ads and unwanted programs.

slusbBack to Fldigi. The developer of Fldigi maintained the installer and source files on his own server. Somewhere near the end of last year, his site was hacked. The decision was made to move the files from his server over to SourceForge. Likely in an attempt to be more secure.

This created a problem for many who are aware of the issues with SourceForge. Unfortunately, it is the only place where the Fldigi Suite updates and downloads reside. I have installed many Fldigi updates since the move to SourceForge and have not seen anything to suggest any unwanted programs are included. The issue is something to be aware of.

Good security practice dictates not downloading anything you-yourself didn’t go looking for. If you do download Fldigi and it is prompting you to install an antivirus program, this is a huge red flag. Another example: never click anything that says ‘your plugins, Java, Flash, antivirus, or system… is out of date’ because you weren’t looking for those updates.

In other news, I would like to welcome Technical Specialist Eldon – W5UHQ. If that sounds familiar, it’s because he is the Net Manager for the OHDEN HF digital net. The Ohio Digital Emergency Net meets Tuesday evenings at 8pm on 3585 using OLIVIA 8/500 at 1 kHz. The purpose is to provide statewide communications to EMA and EOC’s in Ohio using sound card digital modes. If that wasn’t enough, he brings an extensive background in communications and electronics to the group. OHDEN net: http://ohden.org/

I will be at the Mansfield Hamfest on February 21. I’ve been invited to present during the Digital Forum at noon. This is assuming the weather is better than it has been the last few days, hi hi. The Digital Forum will contain a presentation on digital voice by Duane – K8MDA and I will present passing messages using Fldigi. Hope to meet you at Mansfield! More: http://hamfest.w8we.org/

Thanks for reading and 73… de Jeff – K8JTK

Articles on SourceForge:

http://www.infoworld.com/article/2929732/open-source-software/sourceforge-commits-reputational-suicide.html

http://arstechnica.com/information-technology/2015/05/sourceforge-grabs-gimp-for-windows-account-wraps-installer-in-bundle-pushing-adware/